In May, the FBI and CISA confirmed a dramatic surge in Play ransomware attacks, revealing that over 900 organizations across North and South America and Europe had been breached. The campaign, believed to be operated by a closed ransomware group linked to North Korea’s Reconnaissance General Bureau, is evolving in both tactics and targets, posing threats to businesses, healthcare institutions, and critical infrastructure alike.
Play ransomware uses silent infiltration, often via Remote Desktop Protocols (RDP) and Virtual Private Networks (VPNs). After gaining entry, threat actors use well-known tools like Cobalt Strike, PsExec, and Mimikatz to escalate privileges and exfiltrate sensitive data. Ransom notes provide no clear instructions but urge victims to initiate contact via German-registered email domains, a tactic designed to force the victim into a negotiation under duress.
The FBI’s advisory, part of the Stop Ransomware campaign, identifies key vulnerabilities exploited by Play actors, including:
- CVE-2025-29824 (Windows Common Log File System – patched in April 2025)
- CVE-2022-41040 / 41082 (Microsoft Exchange Server)
- CVE-2020-12812 / 2018-13379 (Fortinet FortiOS)
Organizations are urged to apply critical patches, monitor for unusual lateral movement, and review RDP and VPN exposure immediately.
BADBOX 2.0: Malware in the Box Before You Even Unpack It
In a parallel warning, the FBI and the Internet Crime Complaint Center (IC3) have flagged a dangerous resurgence of the BADBOX botnet, now dubbed BADBOX 2.0, targeting millions of smart home and in-vehicle devices. From streaming sticks and digital photo frames to infotainment systems, this new wave of infections is largely traced back to Chinese-manufactured devices embedded with malware during the supply chain process.
What makes BADBOX 2.0 particularly dangerous is its pre-infection model—the malware is already present in devices before users even complete setup. In some cases, mandatory software downloads during the first boot install backdoors that grant attackers persistent access to users’ home networks.
The FBI identified the following indicators of compromise:
- Requests to disable Google Play Protect
- Use of unofficial app stores
- Devices advertised as “unlocked” or capable of delivering free content
- Unexpected spikes in background internet traffic
- Products from unrecognized or no-name brands
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
This botnet is then used to sell access to infected home networks for a variety of criminal purposes, including fraud, data theft, and proxy-based cyberattacks. Experts warn that BADBOX 2.0 has already eclipsed its predecessor in scale, reach, and sophistication.
Patch, Verify, and Isolate: Urgent Recommendations for Organizations and Consumers
As cybercrime continues to shift from isolated hacks to systemic, global campaigns, the FBI’s latest dual-advisory outlines urgent steps to minimize exposure:
For Organizations (re: Play ransomware):
- Patch all known exploited vulnerabilities immediately.
- Disable or tightly monitor RDP and VPN access.
- Implement multi-factor authentication (MFA).
- Monitor for command-and-control activity using tools like Cobalt Strike.
- Regularly backup critical systems and keep backups offline.
For Consumers (re: BADBOX 2.0):
- Avoid devices that prompt you to disable security features like Google Play Protect.
- Stick to reputable brands and verify authenticity before purchase.
- Avoid “jailbroken” or “fully unlocked” devices offering free content.
- Monitor home network traffic for irregularities.
- Routinely update firmware on smart home devices and change default passwords.
Cybersecurity experts warn that the fusion of ransomware operations with botnet expansion represents a new frontier in cybercrime, one where national borders offer no protection and user awareness is the only viable firewall.
Conclusion: Cyber Hygiene Must Now Be a Daily Habit
The FBI’s latest bulletins serve as a stark reminder that cybercrime is no longer confined to high-value targets. From enterprise networks to living room devices, attackers are increasingly exploiting both digital infrastructure and human complacency.
As ransomware groups like Play continue to evolve, and botnets like BADBOX 2.0 infect devices from the inside out, it’s clear: cybersecurity is not just a corporate concern it’s a household necessity.
Click Here For The Original Source.
